Self-propagating ZeuS-based source code/binaries offered for sale

Like every ecosystem, the cybercrime ecosystem has its own set of market disrupting forces whose applicability and relevance truly shape the big picture at the end of the day. For years, cybercriminals have been porting, localizing (MPack/IcePack, FirePack) and further contributing to the the development of malware/crimeware/Web malware exploitation kits, either through direct cooperation with the original author of a particular release, or on the basis of leaked or commerciallyavailable source code.

With more high profile malware source code leaks continuing to take place, more cybercrime-friendly coders now have access to sophisticated antivirus detection bypassing techniques. Access to these techniques will definitely spark the introduction of “new” features within the coders’ own set of underground market releases in an attempt to catch up with the market leading competition.

Two weeks ago, we began monitoring a cybercrime ecosystem advertisement offering access to self-propagating ZeuS-based source code. It sparked several important questions in the overall context of today’s underground market – is coding custom malware for hirestill a relevant monetization tactic? Do low/high profile leaks of malware source code actually allow virtually anyone with less sophisticated coding capabilities to re-purpose, brand and start selling their own malware? Or is the underground system still largely dominated by vendors ‘pushing’ their product/service strategies to meet the demand for these kinds of assets?

Let’s find out.

Sample screenshot of the source code offered for sale:

The price for the source code is between $160-$180, and between $80-$100 for the actual compiled binaries. According to its author, it’s a modified version of a private bot that, despite active testing, was never released in the wild. It can be controlled via IRC/HTTP and soon, P2P. Based on the actual advertisement, the malware spreads through RDP (Remote Desktop Protocol) exploitation, email, and Facebook. It also has its own built-in mechanism to detect/prevent researchers from interacting with it. Payment methods accepted? PayPal and Bitcoin.

What’s particularly interesting about this underground market ad is that one of the community members publicly challenged the legitimacy of the proposition, as the seller doesn’t use escrow services, won’t offer screenshots or video demonstration, as well as the fact that the RDP (Remote Desktop Protocol) exploitation that was demonstrated to him over IRC (Internet Relay Chat) took place on hosts where the RDP ports — if any based on testing — were non-standard.

Although we believe that the ad is genuine, what’s really taking place here is monetization of commoditized underground market goods, like malware source code in this case. It’s also worth emphasizing on the fact that, despite the popularity of the ‘malware authors need to innovate’ myth among Internet users, it really doesn’t need to in order to efficiently infect tens of thousands of hosts on a daily basis. Thanks to efficient Web malware exploitation kits and platforms, cybercriminals have virtually every asset at their disposal to accomplish their fraudulent or malicious objectives.